Skip to content

Add TCM access control page #3866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Nov 22, 2023
Merged

Add TCM access control page #3866

merged 6 commits into from
Nov 22, 2023

Conversation

p7nov
Copy link
Contributor

@p7nov p7nov commented Nov 21, 2023

Resolves #3634

Deployment: https://docs.d.tarantool.io/en/doc/gh-3634-tcm-rbac/reference/tooling/tcm/tcm_access_control/

Add new section TCM > Access Control:

  • Permissions: administrative and cluster, concepts
  • Roles: concepts, management instructions
  • Users: concepts, management instructions
  • Passwords/secrets: definitions and concepts, management, expiry, blocking, password policy
  • Sessions
  • Permissions reference

TODO (in scope of #3637 ):

  • Move permissions reference to future section TCM > Reference
  • Move password policy items description to future section TCM > Reference.

Comment on lines 355 to 359
* - ``cluster.lowlevel.state.read``
- Read low-level information about cluster configuration (for debug purposes)

* - ``cluster.lowlevel.state.write``
- Write low-level information about cluster configuration (for debug purposes)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move it the bottom please to make it

Comment on lines 290 to 294
* - ``admin.lowlevel.state.read``
- Read low-level information from |tcm| storage (for debug purposes)

* - ``admin.lowlevel.state.write``
- Write low-level information to |tcm| storage (for debug purposes)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move it bottom please

- Toggle development mode

* - ``user.password.change``
- Change own password

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's remove. seems that we dont use it in tcm, sorry

@p7nov p7nov requested a review from andreyaksenov November 21, 2023 11:57
set of permissions for each cluster.

Technically, cluster permissions define pages shown in the **Cluster** section
of the left menu and controls available on these pages. For example, users
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't quite understand to which word controls refers: permissions, section, menu?


1. Click **Add**.
2. Fill in the user information: username, full name, and description.
3. Generate or enter a password.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure but to me enter a password sounds like it should be entered when logging in. I'd think about replacing it with specify.

and the private key is a password.

Users receive their first passwords during the account creation. It can be entered
manually or generated automatically.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd remove the second sentence here as it duplicates the info from Managing users (and added the link for account creation to Managing users).

Changing users' passwords
~~~~~~~~~~~~~~~~~~~~~~~~~

Administrators can manage a user's passwords on this user's **Secrets** page.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a user's passwords

sounds like a user can have multiple passwords

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's true

Copy link
Contributor Author

@p7nov p7nov Nov 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This subject is confusing me a bit. The case of one TCM user having multiple secrets (username/password pairs) is technically possible. I didn't describe it on purpose: I don't see a valid real-life usage scenario for this.

AFAIU, this functionality is intended for use when TCM receives more than one way to authenticate users. For example, one user will have three secrets: a password, a certificate, and a fingerprint (whatever, just imagining :)). But right now it doesn't look useful on practice.

@filonenko-mikhail, what do you think? should we describe the case of multiple passwords explicitly (therefore encouraging readers to do this)?

Comment on lines 232 to 233
- **Block after N login attempts**.
- **User lockout time in seconds**.
Copy link
Contributor

@andreyaksenov andreyaksenov Nov 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these settings related? Don't quite understand the second one

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the descriptions

- Manage LDAP configurations

* - ``admin.passwordpolicy.read``
- View password policy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the first column should be a bit wider:
image

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

:widths: 30 70
:header-rows: 1

* - Permission
Copy link

@filonenko-mikhail filonenko-mikhail Nov 21, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my bad,

user.password.change is actual for access to change own password, please restore it

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Restored

@filonenko-mikhail
Copy link

filonenko-mikhail commented Nov 22, 2023 via email

@p7nov p7nov merged commit 40e9ad4 into 3.0 Nov 22, 2023
@p7nov p7nov deleted the gh-3634-tcm-rbac branch November 22, 2023 08:03
andreyaksenov added a commit that referenced this pull request Dec 6, 2023
Resolves #3634 

Co-authored-by: Andrey Aksenov <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants